我在运行Docker的Windows计算机上。 Docker映像为FROM php:7.3-apache。
与
系统:Linux b6df004de9df 4.9.184-linuxkit#1 SMP Tue Jul 2 22:58:16 UTC 2019 x86_64
在Composer版本1.9.0 2019-08-02 20:55:32中成功安装了Composer。
现在,我进入容器的bash并输入了 $ composer init 命令,该命令成功运行并初始化了Composer,但是在安装 $ composer 命令,它会给出错误
[Composer \ Downloader \ TransportException] 无法提供“ https://repo.packagist.org/packages.json”文件 下载:SSL操作失败,代码为1。打开SSL错误 消息:错误:1416F086:SSL 例程:tls_process_server_certificate:证书验证失败
无法启用加密,无法打开流:操作失败
正如我看到的证书的OpenSSL错误一样,我试图获取确切的错误:
root @ b6df004de9df:/ var / www / html / my_JSON_proj#openssl s_client -connect www.google.com:443 CONNECTED(00000003)depth = 2 C =美国,ST =加利福尼亚,O = Zscaler Inc.,OU = Zscaler Inc.,CN = Zscaler 中级根CA(zscalertwo.net),emailaddress = support@zscaler.com 验证错误:num = 20:无法获取本地颁发者证书
为再次确认,我再次尝试:
root @ b6df004de9df:/ var / www / html / my_JSON_proj#curl https://google.com 卷曲:(60)SSL证书问题:无法获取本地发行者证书
Openssl版本:OpenSSL 1.1.0k 2019年5月28日
openssl_get_cert_locations ()的输出:
array(8) {
["default_cert_file"]=> "/usr/lib/ssl/cert.pem"
["default_cert_file_env"]=> "SSL_CERT_FILE"
["default_cert_dir"]=> "/usr/lib/ssl/certs"
["default_cert_dir_env"]=> "SSL_CERT_DIR"
["default_private_dir"]=> "/usr/lib/ssl/private"
["default_default_cert_area"]=> "/usr/lib/ssl"
["ini_cafile"]=> ""
["ini_capath"]=> ""
}
因此,要解决此我尝试过的解决方案:
-
我创建了我的本地主机证书,编号:https://www.digicert.com/ssl-support/openssl-quick-reference-guide.htm#:~:targetText=OpenSSL%20is%20an%20open%2Dsource,and%20how%20to%20use%20them。但不确定何时将该证书放在 / usr / local / share / ca-certifcates / 文件夹中并尝试 卷曲https://google.com/ --cacert /usr/local/share/ca-certifcates/localhost.pem -仍然是相同的错误
-
编辑了我的 /usr/local/etc/php/php.ini php配置文件以添加
curl.cainfo="/usr/local/share/ca-certificates/localhost.pem"
openssl.cafile = "/usr/local/share/ca-certificates/localhost.pem"
只是找到-相同的错误
我一直在尝试这个,没有运气。我从字面上扫描了几乎所有与curl,OpenSSL,SSL,Docker等有关的堆栈溢出帖子,却找不到答案。
- 进一步的更新和发现
- 令人惊讶的是,我想知道https://curl.haxx.se/ca/cacert.pem提供的“ cacert.pem”文件(注意-http s )来解决SSL问题,而我却无法连接到安全链接,我什至还能从https下载pem文件?有点僵局?无论如何,所以我尝试使用
wget http://curl.haxx.se/ca/cacert.pem下载一种不安全的方式来获取pem文件,并且输出为:
- 令人惊讶的是,我想知道https://curl.haxx.se/ca/cacert.pem提供的“ cacert.pem”文件(注意-http s )来解决SSL问题,而我却无法连接到安全链接,我什至还能从https下载pem文件?有点僵局?无论如何,所以我尝试使用
root@b6df004de9df:/usr/local/etc/openssl# wget http://curl.haxx.se/ca/cacert.pem
--2019-11-08 10:21:30-- http://curl.haxx.se/ca/cacert.pem
Resolving curl.haxx.se (curl.haxx.se)... 151.101.38.49,2a04:4e42:9::561
Connecting to curl.haxx.se (curl.haxx.se)|151.101.38.49|:80... connected.
HTTP request sent,awaiting response... 301 Moved Permanently
Location: https://curl.haxx.se/ca/cacert.pem [following]
--2019-11-08 10:21:31-- https://curl.haxx.se/ca/cacert.pem
Connecting to curl.haxx.se (curl.haxx.se)|151.101.38.49|:443... connected.
ERROR: The certificate of 'curl.haxx.se' is not trusted.
ERROR: The certificate of 'curl.haxx.se' hasn't got a known issuer.
并且由于它是Linux服务器且没有可用的GUI,所以似乎我下载的唯一可能方法是通过终端而不是浏览器。
也就是说,我手动创建了cacert.pem文件,并从curl.haxx.se中输入了内容。然后使用以下更改更新了php.ini并重新启动了Apache服务器。
curl.cainfo: /usr/local/etc/openssl/cacert.pem&
openssl.cafile: /usr/local/etc/openssl/cacert.pem
仍然-卷曲:(60)SSL证书问题:无法获取本地发行者证书
-
根据“ openssl_get_cert_locations()”,将curl.cainfo和openssl.cafile更新为“ /usr/lib/ssl/cert.pem”作为其“ default_cert_file”。重新启动apache服务器。尝试过
curl https://www.google.com-仍然卷曲:(60)SSL证书问题:无法获取本地颁发者证书 -
创建了一个新目录'ssl',因为该目录尚不存在,并假定默认情况下OpenSSL目录为
/usr/local/ssl。在该文件夹中创建了cacert.pem文件。使用此新的更新路径更新了php.ini中的curl.cainfo和openssl.cafile条目。为了安全起见,以防万一,请执行update-ca-certificates --fresh。重新启动Apache服务器。尝试过curl https://www.google.com-仍然卷曲:(60)SSL证书问题:无法获取本地颁发者证书
请注意,cURL命令的完整输出:
root@b6df004de9df:/usr/lib/ssl/certs# curl https://thawte.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default,using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate,you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle,the certificate verification probably failed due to a
problem with the certificate (it might be expired,or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate,use
the -k (or --insecure) option.
root@b6df004de9df:/usr/lib/ssl/certs# openssl s_client -connect thawte.com:443
CONNECTED(00000003)
depth=2 C = US,ST = California,O = Zscaler Inc.,OU = Zscaler Inc.,CN = Zscaler Intermediate Root CA (zscalertwo.net),emailaddress = support@zscaler.com
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Utah/serialNumber=5299537-0142/C=US/ST=Utah/
L=Lehi/O=DigiCert,Inc./OU=IT/CN=thawte.com
i:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
1 s:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
i:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net)/emailaddress=su
pport@zscaler.com
2 s:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net)/emailaddress=su
pport@zscaler.com
i:/C=US/ST=California/L=San Jose/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Root CA/emailaddress=support@zscaler.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGpzCCBY+gAwIBAgIQv2zANBgkqhkiG9w0XcVFbs+k59YwRwR4v+pBAQsFADCB
jTELMAkMxEzARBgNVBAgGA1UEBhMCVVTCkNhbGlmb3JuaWExFTATBgNVBAoTDFpz
... few more lines ...
vxrc40H5bMPW/NgnBjRtUEPnAx9b3ll/sj3KfhbxU0bgnEYnmLb+nwnK6NDZRFpC
5E3fG+TFc9ehaBcF5xWttKz28Wr2nUUhMLhC
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Utah/serialNumber=5299537-0142/C=US/ST=Ut
ah/L=Lehi/O=DigiCert,Inc./OU=IT/CN=thawte.com
issuer=/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH,P-256,256 bits
---
SSL handshake has read 4270 bytes and written 326 bytes
Verification error: unable to get local issuer certificate
---
New,TLSv1.0,Cipher is ecdhe-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ecdhe-RSA-AES128-SHA
Session-ID:
Session-ID-ctx:
Master-Key: 06D54188D4F60C7746664262F72361EFE8DC728E9D37FDB25641A28C226DE83C3C574C781A0E4A268A7AEB6187EF54BF
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1573209517
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
---
read:errno=0
当前用于构建映像的DockerFile:
FROM php:7.3-apache
RUN docker-php-ext-install mysql mysqli
RUN apt-get update -y && apt-get install -y sendmail libpng-dev
RUN apt-get update && \
apt-get install -y \
zlib1g-dev
libbz2-dev \
libfreetype6-dev \
libjpeg62-turbo-dev \
libpng12-dev \
libxpm-dev \
libvpx-dev \
libmcrypt-dev \
libmemcached-dev \
&& \
RUN docker-php-ext-install mbstring
RUN docker-php-ext-install zip
RUN docker-php-ext-install gd
RUN docker-php-ext-install opcache
RUN docker-php-ext-install \
bcmath \
bz2 \
exif \
ftp \
gd \
gettext \
mbstring \
mcrypt \
mysqli \
opcache \
pdo_mysql \
shmop \
sockets \
sysvmsg \
sysvsem \
sysvshm \
zip \
p7zip-full \
&& \